Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:keystone User: [email protected] Usertags: pu
Hi, The security team asked me to go through p-u for this. [ Reason ] I'd like to upgrade Keystone to version 2:22.0.2-0+deb12u2, which will contain 2 security patches. [ Impact ] CVE-2026-40683 and CVE-2026-33551. [ Tests ] The included patches contain unit tests. Also note that I've put in production the patch CVE-2026-33551 (CVE-2026-40683 is only for LDAP which we do not use), so I'm confident all is working. [ Risks ] Patches are small, and easy to understand. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Please allow me to upload Keystone 2:22.0.2-0+deb12u2 to Bookworm p-u. Cheers, Thomas Goirand (zigo)
diff -Nru keystone-22.0.2/debian/changelog keystone-22.0.2/debian/changelog --- keystone-22.0.2/debian/changelog 2025-11-11 09:19:08.000000000 +0100 +++ keystone-22.0.2/debian/changelog 2026-04-15 11:10:59.000000000 +0200 @@ -1,3 +1,20 @@ +keystone (2:22.0.2-0+deb12u2) bookworm; urgency=medium + + * CVE-2026-40683 / OSSA-2026-007: LDAP identity backend does not convert + enabled attribute to boolean. When the user_enabled_invert configuration + option was False (the default), Keystone did not correctly interpret the + LDAP enabled attribute, causing users disabled in LDAP to be treated as + enabled and allowed to authenticate. Deployments using the LDAP identity + backend without user_enabled_invert=True or user_enabled_emulation are + affected. Applied upstream patch: + - OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch + (Closes: #1133884). + * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can + create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 + credential creation and deletion" (Closes: #1133118). + + -- Thomas Goirand <[email protected]> Wed, 15 Apr 2026 11:10:59 +0200 + keystone (2:22.0.2-0+deb12u1) bookworm-security; urgency=medium * New upstream release. diff -Nru keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch --- keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-22.0.2/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 2026-04-15 11:10:59.000000000 +0200 @@ -0,0 +1,70 @@ +Author: Grzegorz Grasza <[email protected]> +Date: Thu, 26 Feb 2026 10:09:18 +0100 +Description: CVE-2026-33551 / OSSA-2026-005: Prevent unauthorized EC2 credential creation and deletion + A restricted application credential could be used to create EC2 + credentials granting full user access to S3, bypassing the role + restriction. Add the same _check_unrestricted_application_credential + guard that already protects application credential create/delete + endpoints. + . + Additionally, tighten the ec2_create_credential and ec2_delete_credential + policies to require at least member role, as these are write operations + that should not be accessible to reader-role users regardless of whether + they are using an application credential. +Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53 +Bug: https://launchpad.net/bugs/2142138 +Signed-off-by: Grzegorz Grasza <[email protected]> +Bug-Debian: https://bugs.debian.org/1133118 +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/983597 +Last-Update: 2026-04-10 + +Index: keystone/keystone/api/users.py +=================================================================== +--- keystone.orig/keystone/api/users.py ++++ keystone/keystone/api/users.py +@@ -387,6 +387,8 @@ class UserOSEC2CredentialsResourceListCr + target['credential'] = {'user_id': user_id} + ENFORCER.enforce_call(action='identity:ec2_create_credential', + target_attr=target) ++ token = self.auth_context['token'] ++ _check_unrestricted_application_credential(token) + PROVIDERS.identity_api.get_user(user_id) + tenant_id = self.request_body_json.get('tenant_id') + PROVIDERS.resource_api.get_project(tenant_id) +Index: keystone/keystone/common/policies/base.py +=================================================================== +--- keystone.orig/keystone/common/policies/base.py ++++ keystone/keystone/common/policies/base.py +@@ -64,6 +64,10 @@ ADMIN_OR_CRED_OWNER = ( + '(' + RULE_ADMIN_REQUIRED + ') ' + 'or user_id:%(target.credential.user_id)s' + ) ++ADMIN_OR_MEMBER_AND_CRED_OWNER = ( ++ '(' + RULE_ADMIN_REQUIRED + ') or ' ++ '(role:member and user_id:%(target.credential.user_id)s)' ++) + + rules = [ + policy.RuleDefault( +Index: keystone/keystone/common/policies/ec2_credential.py +=================================================================== +--- keystone.orig/keystone/common/policies/ec2_credential.py ++++ keystone/keystone/common/policies/ec2_credential.py +@@ -58,7 +58,7 @@ ec2_credential_policies = [ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_list_credentials', +- check_str=base.ADMIN_OR_SYSTEM_READER_OR_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='List ec2 credentials.', + operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', +@@ -67,7 +67,7 @@ ec2_credential_policies = [ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_create_credential', +- check_str=base.RULE_ADMIN_OR_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='Create ec2 credential.', + operations=[{'path': '/v3/users/{user_id}/credentials/OS-EC2', diff -Nru keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch --- keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-22.0.2/debian/patches/CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch 2026-04-15 11:10:59.000000000 +0200 @@ -0,0 +1,65 @@ +Author: Benedikt Trefzer <[email protected]> +Date: Thu, 21 Aug 2025 16:11:12 +0200 +Description: CVE-2026-40683 / OSSA-2026-007: fix ldap 'enabled' setting not interpreted as boolean + interpretation of the ldap enabled attribute as boolean + is only done if enabled_invert setting is set to true. + . + Conflicts: + keystone/identity/backends/ldap/core.py + . + NOTE(elod.illes): conflict is due to Blakify patch [1] that was added + in 2024.2 Dalmatian release. + . + [1] I832ec4c152fa58fb0088d9f880add86a20ec95fc +Bug: https://launchpad.net/bugs/2121152 +Bug-Debian: https://bugs.debian.org/1133884 +Change-Id: I7260bf46adf003aef7c7ac0d436c3758f658cb0c +Signed-off-by: Benedikt Trefzer <[email protected]> +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/984587 +Last-Update: 2026-04-15 + +Index: keystone/keystone/identity/backends/ldap/core.py +=================================================================== +--- keystone.orig/keystone/identity/backends/ldap/core.py ++++ keystone/keystone/identity/backends/ldap/core.py +@@ -254,6 +254,7 @@ class UserApi(common_ldap.EnabledEmuMixI + self.enabled_default = conf.ldap.user_enabled_default + self.enabled_invert = conf.ldap.user_enabled_invert + self.enabled_emulation = conf.ldap.user_enabled_emulation ++ self.attribute_ignore = conf.ldap.user_attribute_ignore + + def _ldap_res_to_model(self, res): + obj = super(UserApi, self)._ldap_res_to_model(res) +@@ -261,7 +262,10 @@ class UserApi(common_ldap.EnabledEmuMixI + enabled = int(obj.get('enabled', self.enabled_default)) + obj['enabled'] = ((enabled & self.enabled_mask) != + self.enabled_mask) +- elif self.enabled_invert and not self.enabled_emulation: ++ elif ( ++ not self.enabled_emulation ++ and 'enabled' not in self.attribute_ignore ++ ): + # This could be a bool or a string. If it's a string, + # we need to convert it so we can invert it properly. + enabled = obj.get('enabled', self.enabled_default) +@@ -270,7 +274,10 @@ class UserApi(common_ldap.EnabledEmuMixI + enabled = True + else: + enabled = False +- obj['enabled'] = not enabled ++ if self.enabled_invert: ++ obj['enabled'] = not enabled ++ else: ++ obj['enabled'] = enabled + obj['dn'] = res[0] + + return obj +Index: keystone/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml +=================================================================== +--- /dev/null ++++ keystone/releasenotes/notes/fix_ldap_enabled_boolean-6281eb00e5aaed26.yaml +@@ -0,0 +1,4 @@ ++--- ++fixes: ++ - | ++ Ldap identity backend did not interpret the enabled field as boolean. diff -Nru keystone-22.0.2/debian/patches/series keystone-22.0.2/debian/patches/series --- keystone-22.0.2/debian/patches/series 2025-11-11 09:19:08.000000000 +0100 +++ keystone-22.0.2/debian/patches/series 2026-04-15 11:10:59.000000000 +0200 @@ -6,3 +6,5 @@ Allow_admin_to_access_tokens_and_credentials.patch Dont_enforce_when_HTTP_GET_on_s3tokens_and_ec2tokens.patch keystone-bug-2119646-stable-2024.1.patch +CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch +CVE-2026-40683-OSSA-2026-007-fix_ldap_enabled_setting_not_interpreted_as_boolean.patch
